Installation
This page documents the installation of the AIStor Key Encryption Service.
You may require root or sudo
permissions to perform some of the steps.
-
Install the AIStor KES binary on each node in your KES cluster.
-
Start the KES server
The following command starts a single-node KES server with a data directory of
/etc/kes/data
and listens on port7373
:kes server --address :7373 --data /etc/kes/data --license SUBNET-LICENSE
See the KES documentation for additional configuration options.
For long-term production deployments, you can run KES as a
systemd service
. Modify the service file to include the--license SUBNET-LICENSE
parameter in theExecStart
line. -
Connect to the KES server
Once installed, set the following environment variables to allow the
kes
process to communicate with the remote KES server:export KES_SERVER=https://kes-1.example.net:7373 export KES_API_KEY=IDENTITY
The
IDENTITY
corresponds to a configured identity with access to the KES server and API operations. You can retrieve the root identity by viewing the KES server startup logs. If you configured additional identities as part of the KES configuration you can specify those values instead.See the KES documentation on policies and identities for more information on identity and access management.
The
kes
client by default must validate the remote KES server certificate as part of establishing a connection. The client uses both the system trust store of Certificate Authorities and the content of the$HOME/.kes/certs/CAs
directory during validation. Ensure either the trust store or theCAs
directory contain the necessary root and intermediate certificates for validating the remote KES server.